New /harden skill runs a narrow-scope security audit covering
HTTPS/TLS transport, HSTS, security headers (CSP, X-Frame-Options,
X-Content-Type-Options, Referrer-Policy, Permissions-Policy),
cookie flags, canonical URLs, custom 404, and server config
hardening (.htaccess, nginx, netlify, vercel, cloudflare, next
config, astro middleware).
Reuses the seo-analyzer agent with a strict IN/OUT scope filter so
the report stays focused on hardening — no meta/OG/JSON-LD/sitemap/
CWV noise. Those remain owned by /seo and /geo.
FULL mode queries three independent third-party validators and
embeds their verdict in HARDEN.md:
- Mozilla Observatory (API v2 JSON, ~10s)
- SecurityHeaders.com (HTML scrape, ~5s)
- SSL Labs (API v3 async, poll up to 180s, cached via maxAge=24)
Divergence between code audit and external validators is surfaced
as a finding (config drift, CDN header overrides, conditional
middleware).
Flags: --local, --full, --fix, --no-external.
Routing rule added to CLAUDE.md; cso description narrowed to its
actual scope (secrets, deps CVE, OWASP code-level) to disambiguate
from /harden.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>